The European Data Protection Regulation – and how it could affect you

by Rich B

If you use consumer data in your business and you’ve not heard of the European General Data Protection Regulation, then it’s probably worth casting your eye over the page below. We’ve brought together a high-level view of what it is, how it could affect you and when it’s due to be introduced – all you need to know until the day it’s either introduced or kicked out.

What is the General Data Protection Regulation?

The GDPR is an attempt to standardise the way individual’s data is protected across the EU as well as enshrine certain rights of individuals on how their data is used.

With 27 countries all having different data laws, it might sound like a sensible move. However, the devil’s in the detail and because the regulations cover the way all personal digital data is stored and used across the EU, and with claims that it could cost UK business an estimated £47bn in lost sales/costs, there are real concerns that it goes too far in limiting the ability of business to trade competitively.

Will it affect me?

If you’re part of a business who’s using EU consumer data (whether you’re based in the EU or not) and/or the person who manages your data is based in the EU, then yes, it’ll affect you. See below for how it’ll impact on your business.

When will it affect me?

The vote on whether to adopt the regulation has been postponed to next month (May ’13). Should it be enacted, the regulations will come into effect in 2014 with a two year period of grace to implement changes meaning you’d have to be fully compliant by some time in 2016.

What Does the Regulation Say?

As you can imagine, there’s lots of detail and the regulation acknowledges that not all data is the same – for example essential medical data is different from purchasing data. However, as a business that stores and uses customer data, here are some of the most important points:

Profiling

No automated data processing to give deeper behavioural insight will be allowed unless explicit and specific consent is given. If consent isn’t given, that eliminates the ability to segment and profile data which drives much direct marketing activity.

Consent & Opt-ins

Explicit opt-in consent must be given by an individual and marketers can only contact them regarding similar products and services. This includes consumers having to provide express opt-ins for 3rd party mailings. This will have a huge impact on the amount of data available for list swaps, list rental and data appending, and it’s expected to severely limit the amount of cold prospect data available from commercial sources.

Portability

The regulation makes it easier for people to access and transfer personal data – and companies must respond to these requests quickly.

Analytics

User’s IP addresses would be reclassified as private information making it unusable for marketers and provide only basic, non-specific analytics.

The right to be forgotten

One of the key proposals is that people have the right to be forgotten; i.e. if they use a service, then leave it, they can request that all their data is deleted or that the data is automatically deleted after a set period. That includes purchase history, location, name and address data.

Where data is passed on to a 3rd party it would then be up to the 1st party to request the data is deleted – which points towards a huge potential overhead in managing inter-organisation data removal.

Mailing, inserts, door-drops, catalogues

By restricting or removing qualified prospect mail order lists from the market, it’s difficult to see how any form of targeting can take place. DEFRA have already stated their intention of subjecting direct mail to consumer opt-ins in the name of reducing the amount of mail which goes into landfill. The irony is of course that improved data leads to improved targeting and less wastage, and that because the vast majority of direct mail is recycled, there’s been a large reduction in waste hitting landfills in recent years. It’s quite possible both these initiatives will lead to the return to poorly targeted and more wasteful ‘carpet bombing’ approaches, driving marketers away from targeted direct mail to inserts and door drops. It will also reduce the distribution of catalogues which use targeted prospect lists to find new customers, instead leaving them to rely on customers opting-in through other avenues.

Anything else?

Companies with over 250 employees will need a dedicated Data Protection Officer to handle compliance, and non-compliance could lead to penalties of up to €1m or 2% of the global annual turnover of a company.

Britain is seeking an opt out of key parts of the regulation while there are active campaigns from many business groups such as the Direct Commerce Association and the Direct Marketing Association. They believe the legislation will severely harm to ability to optimise marketing, leading to increased wastage, increased overheads and a reduction in competitiveness for UK businesses.